Cookies along the way.

RSS FTW

Social

Contact

Search

PostgreSQL Security

My first “in-person” class of my graduate program was a discussion on security of PostgreSQL given by Bruce Momjian. Not surprisingly, PostgreSQL offers a full range of SSL support and a slew of encryption options. As impressive as the options are, the challenge seems to me, in deciding what trade-offs make sense for a particular employment.

For example, if one chooses column level encryption, than that data is not only encrypted to malicious entities, but to friendly daemons like the statistics collector. There are definitely some interesting systems engineering decisions that need to made when deciding what data is critical enough to be encrypted.

On the TLS side, I couldn’t help but to think of Adam Langely’s (Google Chrome TLS guy) talk from HOPE#9, which I unfortunately did not attend but fortunately, the audio is now posted! Essentially, if the state of web SSL is as bad as he says it is, I wonder how many databases actually have SSL incorporated correctly? Of course, security is a multi-pronged beast and SSL isn’t going to help you when somebody steals the hard-drive with your database on it.

Having taken classes only online, I took advantage of this antiquated medium (going to class in person is so 2011) and asked a lot of questions, probably much to the chagrin of my fellow students. But, it was a nice change of pace and I can see why so many physical study groups have sprung up from the Coursera courses.

I was a little surprised to see that PostgreSQL uses md5 for its password hashing. They constantly use random salt, so it looks like the data is ephemeral enough that they minimize the chance for a collision. And I’m sure there would be a big upgrade pain to move off of md5…